Looking out for unauthorized access

With a corporate name like Lookout, it pays to — well — look out. Unfortunately, according to the FTC’s complaint against Lookout Services, Inc., the company’s questionable security practices left the door open for an employee of one of Lookout’s customers to access sensitive information, including Social Security numbers, of thousands of people.

Lookout sells a web-based product called the I-9 Solution. Taking its name from Immigration Services Form I-9 — familiar paperwork to most small businesses — the product is designed to help employers comply with their obligations under federal law. The I-9 Solution collects and stores information from or about its customers’ employees, including names, addresses, dates of birth, Social Security numbers, passport numbers, alien registration numbers, driver’s license numbers, and military ID numbers. Anticipating concerns about security, Lookout told prospective customers “Although the data is entered via the web, your data will be encoded and transmitted over secured lines to Lookout Services server. This FTP interface will protect your data from interception, as well as, keep the data secure from unauthorized access. In addition, the company claimed, “Our servers are continuously monitoring attempted network attacks on a 24 x 7 basis, using sophisticated software tools.”

Here’s where the “look out” part comes into play. According to the FTC’s complaint, during a webinar about using the I-9 Solution, an employee of a Lookout business customer got the URL for a secure web page. She later typed that URL into her browser and gained unauthorized access to a portion of the I-9 database. By typing the precise URL into the browser, she bypassed Lookout’s login page and was never prompted to provide a valid user credential. With minimal easy-to-guess changes to the URL, she gained access to the entire database.

Two months later, she went to the public-facing login web page for the I-9 Solution, where she tried several “likely suspect” user IDs and passwords, including the user ID “test” and the password “test.” Because this was a valid credential for one of Lookout’s customers, entering “test” as the user ID and password gave her access to the personal information of the more than 11,000 people employed by that Lookout customer. Then, by making minimal easy-to-guess changes to the URL, she was again able to access the entire database, which included the personal information of more than 37,000 people.

The FTC’s complaint lists a number of questionable practices, including that Lookout:

allowed easy-to-guess user IDs and passwords, including common dictionary words as the password and user ID — or even using the same word for both;

stored passwords in clear text;

failed to require periodic changes of user credentials and didn’t suspend user credentials after a certain number of unsuccessful login attempts;

As the FTC has always said, data security isn’t a “one size fits all” proposition, but put these lapses together and they spell “look out,” resulting in an FTC law enforcement action. To settle the case, the company has agreed to implement a comprehensive information security program, including independent, third-party security audits every other year for 20 years.

On a related note, interested in a big picture perspective on the FTC and data security? Read Bureau of Consumer Protection Director David Vladeck’s recent testimony before the House Committee on Energy and Commerce’s Subcommittee on Commerce, Manufacturing, and Trade.

________________

Offering sound advice is the stock in trade of marketing professionals, the attorneys who represent them — and Moms. This Mother’s Day, the FTC says you can return the favor by giving Mom consumer tips customized to her interests. Whether she’s tech-savvy, globe-trotting, or blinged out, share this online game in her honor — with love from ftc.gov.

Here’s another piece of advice: Send flowers and candy, too.

Add new comment

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.